VICEROY: GDPR-/CCPA-compliant Enforcement of Verifiable Accountless Consumer Requests
In 30th Annual Network and Distributed System Security Symposium, NDSS 2023, San Diego, California, USA, 27 February 2023 - 3 March 2023, 2023
Data regulation laws such as GDPR and CCPA provide consumers (or data subjects) with rights to request data operations such as access, modification, or deletion of their collected data. Authenticating consumers is crucial when conducting this operation, as such data can be privacy-sensitive. This is straight forward for consumers with accounts, as they simply provide authenticate by logging into their account. Such data regulation laws also require the same right to be provided to accountless consumers. However, authenticating such consumers have been adhoc, insecure, and privacy-invasive. In this work, we present VICEROY, a first-of-its-kind protocol that allows accountless consumers to authenticate themselves securely, privately, and in scale. We prove the security of VICEROY via Tamarin prover and its scalability through extensive evaluation.
Vronicle: verifiable provenance for videos from mobile devices
In MobiSys ’22: The 20th Annual International Conference on Mobile Systems, Applications and Services, Portland, Oregon, 27 June 2022 - 1 July 2022, 2022
Videos have always been used in security-critical applications where videos are used as evidence or the videos themselves are sensitive. This was due to the fact that faking them was generally believed to be nearly impossible. However, there is a increasingly concerning trend of fraudulent videos, the so-called deepfakes. In this work we propose a novel system that generates a fine-grained, cryptographically verifiable provenance information of the videos without compromising performance. We utilize TEEs on both the device that takes the videos and the servers that processes the video. Our extensive measurements show that our proof-of-concept implementation outperforms the state-of-the-art system and is comparable with modern video hosting websites that do not provide such provenance info.
CACTI: Captcha Avoidance via Client-side TEE Integration
In 30th USENIX Security Symposium, USENIX Security 2021, August 11-13, 2021, 2021
Preventing abuse of web services is becoming increasingly important, as bot activities are becoming wide spread. CAPTCHAs are commonly used to thwart bot abuse, by distinguishing bots from real human users. However, CAPTCHAs are well known to be frustrating for humans, as it takes time to solve. Moreover, the rise of machine learning based image recognition technology as well as CAPTCHA farms decrease the effectiveness of CAPTCHAs. In addition, privacy concerns related to more modern CAPTCHAs (e.g., behavior-based CAPTCHAs) is starting to attract public attention. In this work, we propose a novel system that utilizes client-side TEEs to solve the aforementioned issues. Our system, CACTI, allows users (bot or human) to cryptographically prove how many times they have conducted an action in a given timeframe (“rate”). Based on this “rate-proof”, the server can allow the user to skip solving CAPTCHAs entirely. Our measurements show that the end-to-end latency of CACTI is about 0.25 seconds and the overall bandwidth used is 98% smaller compared to conventional CAPTCHAs. Additionally, the use of group signature schemes prevents servers to track users based on the proofs.
PDoT: Private DNS-over-TLS with TEE Support
Digital Threats, Feb 2021
PDoT: Private DNS-over-TLS with TEE support
In Proceedings of the 35th Annual Computer Security Applications Conference, ACSAC 2019, San Juan, PR, USA, December 09-13, 2019, Feb 2019
DNS-over-TLS was introduced to improve user privacy, as DNS packets are currently sent over the Internet in plaintext. However, DNS-over-TLS still suffers from privacy issues from malicious recursive resolvers and also usability issues. PDoT is a novel recursive resolver architecture that aims to overcome both of these issues using Trusted Execution Environments (TEEs).
FROG: A Packet Hop Count based DDoS Countermeasure in NDN
In 2018 IEEE Symposium on Computers and Communications, ISCC 2018, Natal, Brazil, June 25-28, 2018, Feb 2018
Named Data Networking (NDN) is one of the emerging future Internet architecture that aims to put content in the center of the communication. Similar to the current Internet, NDN also suffers from DDoS attacks. FROG aims to detect and mitigate DDoS attacks in NDN using a novel method that utilizes packet hop counts.